EFF to Verizon: Etisalat Certificate Authority Threatens Web Security

EFF will soon be launching the SSL Observatory project, an effort to monitor and secure the cryptographic infrastructure of the World Wide Web. There is much work to be done, and we will need the help of many parties to make the HTTPS-encrypted web genuinely trustworthy. To see why, you can read the following letter, which we are sending to Verizon today:

We are writing to request that Verizon investigate the security and privacy implications of the SSL CA certificate (serial number 0x40003f1) that Cybertrust (now a division of Verizon) issued to Etisalat on the 19th of December, 2005, and evaluate whether this certificate should be revoked.

As you are aware, Etisalat is a telecommunications company headquartered in the United Arab Emirates. In July 2009, Etisalat issued a mislabeled firmware update to approximately 100,000 of its BlackBerry subscribers that contained malicious surveillance software [1]. Research In Motion subsequently issued patches to remove this malicious code [2].

More recently, the United Arab Emirates Telecommunications Regulatory Authority and Etisalat threatened to discontinue service to BlackBerry users, claiming that these devices "allow users to act without any legal accountability, causing judicial, social and national security concerns for the UAE", apparently on account of Research In Motion's refusal to offer surveillance back doors in its encryption services [3].

These events clearly demonstrate that Etisalat and the UAE regulatory environment within which it operates are institutionally hostile to the existence and use of secure cryptosystems. It is therefore of great concern to us that Etisalat is in possession of a trusted SSL CA certificate and the
accompanying private key, which effectively functions as a master key for the encrypted portion of the World Wide Web. Etisalat could use this key to issue itself valid HTTPS certificates for verizon.com, eff.org, google.com, microsoft.com, or indeed any other website. Etisalat could use those certificates to conduct virtually undetectable surveillance and attacks against those sites. Etisalat's keys could also possibly be used to obtain access to some corporate VPNs.

We believe this situation constitutes an unacceptable security risk to the Internet in general and especially to foreigners who use Etisalat's data services when they travel.

We do not know whether Etisalat is willing to use its SSL CA keys for surveillance; however, the malicious code that Etisalat distributed last year had been signed by cryptographic keys that gave it access to various security-sensitive parts of the BlackBerry's API [4][5], indicating a willingness on Etisalat's part to use other keys for the wholesale subversion of security measures intended to protect users' privacy.

Because Microsoft, Mozilla, and other browser vendors have chosen to delegate certificate issuing authority to Verizon/Cybertrust, and because Cybertrust in turn chose to delegate this authority to Etisalat, Verizon is now the only party in a position to mitigate this risk to Internet security in a manner that is prompt and minimizes side-effects. We therefore request that Verizon reevalute whether Etisalat is a trustworthy Certificate Authority, and determine whether may be appropriate to issue a new CRL revoking Etisalat's CA certificate.

Spanish version San Francisco—The Electronic Frontier Foundation (EFF) and more than 70 human and digital rights groups called on Mark Zuckerberg today to add real transparency and accountability to Facebook’s content removal process. Specifically, the groups demand that Facebook clearly explain how much content it removes, both rightly...

On Friday, November 9, 2018, EFF submitted a letter in response to the U.S. Department of Commerce's request for comment on "Developing the Administration's Approach to Consumer Privacy," urging the agency to consider any future policy proposals in a users' rights framework. We emphasized five concrete recommendations for any...

San Francisco—The Electronic Frontier Foundation (EFF) launched a virtual reality (VR) experience on its website today that teaches people how to spot and understand the surveillance technologies police are increasingly using to spy on communities.“We are living in an age of surveillance, where hard-to-spot cameras capture our faces and...

Google Chrome is the most popular browser in the world. Chrome routinely leads the pack in features for security and usability, most recently helping to drive the adoption of HTTPS. But when it comes to privacy, specifically protecting users from tracking, most of its rivals leave it in the...

Two individuals with no criminal record—one of whom is a retired California Highway Patrol officer—are asking a California Superior Court why their phones were tapped in 2015. These are just two targets of hundreds of questionable wiretaps authorized by a single judge, Helios J. Hernandez, in Riverside County. EFF and...

Legislators across the country are writingnewlaws to protect your data privacy. One tool in the toolbox could be “information fiduciary” rules. The basic idea is this: When you give your personal information to an online company in order to get a service, that company should...

San Bernardino, California—The Electronic Frontier Foundation (EFF) sued the San Bernardino County Sheriff’s Department today to gain access to records about search warrants where cell-site simulators, devices that allow police to locate and track people by tricking their cell phones into a connection, were authorized in criminal investigations.EFF...

EFF is introducing a new Coders' Rights project to connect the work of security research with the fundamental rights of its practitioners throughout the Americas. The project seeks to support the right of free expression that lies at the heart of researchers' creations and use of computer code to...

Your strong support helped us persuade California’s lawmakers to do the right thing on many important technology bills debated on the chamber floors this year. With your help, EFF won an unprecedented number of victories, supporting good bills and stopping those that would have hurt innovation and digital freedoms. Here’s...